cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3074
Views
1
Helpful
8
Replies

One Click Approval - redundancy.

dazza_johnson
Level 5
Level 5

Hey guys, I have two ISE nodes in the DMZ hosting the guest portal for 'One Click Approval'. The dilemma I have is the 'Approve' (or 'Deny') URL as shown below. By default, this is the IP address of the ISE node which the guest used to create an account. Obviously, we do not want the cert error associated with an IP address in a HTTP URL.

I can set the URL using an FQDN in the Sponsor portal which I then assign to the guest portal. However, the issue here is that the FQDN is mapped to an IP address of, for example, DMZ ISE node 1. So what happens when the guest was actually using the guest portal on DMZ ISE node 2? Does ISE require that the approval URL hits the same ISE node as that which the guest created the account on or is it a viable scenario where the guest is created on ISE DMZ node 2, but the approval is sent to ISE DMZ node 1?

At this stage, I am thinking that the approval link must hit the same ISE node that the guest created the account on. My fix here is to create two guest portals and two sponsor portals. Guest portal 1 is mapped to sponsor portal 1 and Guest portal 2 is mapped to sponsor portal 2. Auths that hit ISE DMZ node 1 use guest portal 1 and auths that hit ISE DMZ node 2 use guest portal 2. Sponsor portal 1 uses an FQDN which maps to the IP address of ISE DMZ node 1 and sponsor portal 2 uses an FQDN which maps to the IP address of ISE DMZ node 2. This way, the Approve URL always hits the ISE node that the guest created an account on.

Can anyone comment on my ramblings here!?

1 Accepted Solution

Accepted Solutions

All portals run on all PSNs so there is no problem

The approve link can hit any sponsor portal

View solution in original post

8 Replies 8

Jason Kunst
Cisco Employee
Cisco Employee

Darren the under the portal settings for single click there is a mapping to a sponsor portal

You can choose a portal to map to AndThis sponsor portal would have an easy URL fqdn mapped to it

Dns would resolve to any of the ip addresses you have setup for that

Hi there, as per my post I know there is a mapping to the sponsor portal under the guest portal ;-)

My question was around redundancy for guest portals. I have two ISE nodes, I can't map them both to one sponsor portal because it wont work? IE guest hits guest portal on ISE node #1. Sponsor portal uses for Approve URL resolves to and hits ISE node #2 - this won't work because the approve link needs to hit the same ISE node that the guest registered with?

All portals run on all PSNs so there is no problem

The approve link can hit any sponsor portal

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Guest Access User Interface Reference [Cisco Identit…

  • Fully Qualified Domain Name (FQDN)—Enter at least one unique FQDN and/or hostname for your Sponsor or MyDevices portal. For example, you can entersponsorportal.yourcompany.com,sponsor, so that when the user enters either of those into a browser, they will reach the sponsor portal. . Separate names with commas, but do not include spaces between entries. If you choose to update the default FQDN, you should also do the following:
    • Update DNS to ensure that the FQDN of the new URL resolves to a valid Policy Services Node (PSN) IP address. Optionally, this address could point to a load balancer virtual IP address that serves a pool of PSNs.
    • To avoid certificate warning messages due to name mismatches, include the FQDN of the customized URL, or a wildcard, in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE PSN.

Yeah, sweet. I just tested this for my own sanity by editing the Approve URL to a different PSN IP address and it works great. Thanks Jason :-)

mikaelbje
Level 1
Level 1

Sorry for bringing this up again, but is there a way to change the Approve/Deny URL to a different port? We have placed our ISE servers behind a F5 LTM and it's serving the guest portal on port 443, but the email sent for approval to the sponsor unfortunately contains the URL with port 8445 in it. I'd like to change that to 443.

No there is no way to modify the port number.

Have you tried changing the load balancer to port 8445 to match the sponsor portal? There needs to be some sort of rewrite happening.

i just spoke to our SME on load balancing and he asked why couldn't you setup the LB to listen on 8445